Archive

Well, the weekend was not without PANIC (!!) and CONSTERNATION (!!). Saturday morning found me sitting at my desk, getting a little work done, and needing some information from the Oracle of the Internet. Looking for some info on Cisco switch commands, I was presented with a list of search results that were <GASP> all infected!!!

Imagine my sheer horror. The Internet was surely coming to a complete halt. Some evil mastermind had taken over all sites on the Web. Game over. To console myself, I went to Twitter to see who I could complain to at this early hour, and found that others were experiencing the same problem, albeit with a slightly lowered panic quotient. Hmmmm….the problem ACTUALLY could be Google, not a widespread evil plan to overthrow the Internet. Fast forward an hour, Google was operating just fine again. Thank Goodness!

The moral of this blurb: I am a pathetic little man. Losing Google for one hour actually caused me some frustration. You may not cook it in a spoon and inject it, or smoke it in a little glass pipe, but Google has successfully accomplished the Internet equivalent of addicting people to drugs. Ouch.

The next comment from the weekend is about a great old comic I saved from 2006 in Computerworld. I couldn’t find it anywhere online, so I scanned it in (apologies if it’s a little grainy, tried to keep it small). Given that my name is, well..Dave, I absolutely love this one. Just remember, folks, every time you connect to a WiFi hotspot you don’t recognize, God kills a kitten.

OMFG, here we go again. Every security and compliance dork in the universe has their blood pressure up a bit since the announcement by Heartland Payments that 100 million+ payment card numbers may have been exposed. Am I in this same state of craziness? Of course, I’m a full-fledged security and compliance dork.

But I’m thinking about this more than ever. Knee-jerk reactions aside, what should we think about this? I am of the opinion that the current mode of thinking around audit and compliance DOES NOT WORK. There, I said it. This notion of auditing an organization once, checking off the boxes, and then coming back later to find that the shit has hit the fan is SILLY, people! When are we going to get around to figuring out that auditing should be a constant thing!?

I’m biased. No two ways about it, I work for a company (Configuresoft) that makes software that will literally solve this problem, so I know it can be done. A “point in time” audit is really of very little use these days. In this latest breach, the biggest issue (based on info we have so far) seems to be that changes were made to a system (malicious software was installed to monitor transactions) and NO ONE NOTICED. So when did the problem start? I dunno. How long have you been compromised? Uh, I dunno. Why don’t you know? Gosh, I dunno! This should be a “career limiting move” for someone.

Now the real question – will Heartland Payments see any loss of business? Despite all the hoopla, does anyone even care? We’ll make a big deal out of this, apologies will happen, security geeks will squawk day and night for a few months about how “important” this is, blah blah blah. Anyone looked at how TJX is doing? Just fine, thanks, they’ve had absolutely ZERO permanent effects from losing lots of our data. Until someone finally imposes crippling penalties on these companies, we’ll continue to see the cycle ofbreach–>freak out–>”we’re so sorry”–>time lapse–>forgetfulness

And last time I checked, we have absolutely no cure for apathy. Damn, I feel about as optimistic as Bruce Schneier right now. Yuck.

I was alerted to the EFF’s Surveillance Self-Defense (SSD) Project yesterday by Dr. Infosec’s blog and felt compelled to post my own thoughts on this. In a nutshell, the project (still in “beta” BTW) is intended to educate people about government inspection of their data and communications, what the law says about it, and what you can do about it.

I’d love to think I have some “non-security” people reading this blog. If that’s you, and you’re reading this, please know that this is NOT the paranoid ranting of a security geek, this applies to all American citizens, and at some point you’ll need to understand this just like everyone else, if not for your personal data then most definitely for business data that you’re a custodian for (on a work laptop, for instance).

For my fellow security crazies, welcome. Pull up a chair. Let’s chat. I’m going to provide a brief synopsis of the program’s major categories with my thoughts on each.

Risk Management: In this section, the project breaks down concepts that all security folks know and understand well. The first is your assets – what are you trying to protect? Once you know that, you’ll need to understand the threats to your assets, in a few dimensions – the confidentiality, integrity, and availability of your assets should be obvious. The other categories that threats could impact include consistency (are the assets always behaving the same way?), control (is management of the assets controlled?), and audit (can i assess the security of the assets?).Then you need to assess the risk to your assets based on the threats – how likely is it that the threats will manifest, and what damage would ensue? For example, if you are a regular international traveler, it’s highly likely that at some point your laptop will be inspected by border agents somewhere. Finally, know your adversaries. US customs agents? Industrial spies? Wily h@x0rz? The voices in your head? You get the drift. All of these components will paint the risk picture you need to understand how to better defend yourself.

Data Stored on your Computer: This section first lays out what the government can do (here in the US). First things first – the Fourth Amendment stands strong! You should demand a lawyer if anyone tries to search you or anything in your possession. This right has not been suspended by the Patriot Act or any other government mandate, and it applies to any person in the US, citizen or not. There’s a discussion of the Reasonable Expectation of Privacy covered in this Amendment, as well. A great point about laptops – they are considered opaque containers, and thus are protected:

“Laptops, pagers, cell phones and other electronic devices are also protected. Courts have generally treated electronic devices that hold data as if they were opaque containers.”

More about different types of search and seizure are listed, and the information about warrantless searches is really important for us all to understand. Bottom line – when traveling, seraching your laptop without a warrant is considered “routine” and can be performed without a warrant!

One solution to this problem is to bring a blank “traveling” laptop and leave your personal information at home. You could then access the information that you left at home over the internet by using a VPN or other secure method to connect to a server where you’ve stored the information.

However, bringing a clean laptop means more than simply dragging files into the trash. Deleting files will not remove them from your hard drive.

Another solution is to use password-based disk encryption to prevent border agents from being able to read your files. However, if an agent asks you for your password, and threatens to detain you or seize your machine for further investigation, most travelers will just give in and offer the password. The consequences of refusing to disclose a password under those circumstances are difficult to predict with certainty, but non-citizens would face a significant risk of being refused entry to the country. Citizens cannot be refused entry, but could be detained until the border agents decide what to do.

The other major “chunk” of this section talks about what you can do to protect yourself. Here’s a quick and dity list:

Master the basics of data protection: Use authentication and access controls

Learn how to use passwords: All sorts of password tips – including a controversial one from Chuck Norris, I mean Bruce Schneier, to keep passwords written down in your wallet.

Encrypt data: ‘Nuff said.

Protect against malware: Again, ’nuff said.

Data on the Wire: As in the previous section, this one is broken into two sub-categories titled “What can the government do?” and “”What can I do to protect myself?” In a nutshell this section drills into wiretaps, pen register and “trap and trace” devices, etc. The section on how to protect yourself was really good. A few things I learned:

Any “wire” communications (voice, VoIP like Skype, and cell) are more protected than email or SMS. No wiretap == no bueno for the govt in a court.

SMS is risky – easy to intercept, possible for the govt to use without a probably cause warrant, etc. Now I’m going to have to educate all my crazy anti-govt friends to use Skype. Dammit.

The Triggerfish mobile tracking technology can pinpoint your cell phone’s location when you’re not using it, and often even if it’s turned off. To be safe, you should remove the battery altogether.

The remaining sections deal with storage of information by 3rd parties, foreign intelligence and terrorism investigations (where you get tortured with pictures of Dick Cheney naked) and defensive technology. This last section is perhaps the most valuable to n00bs – it covers lots of fundamentals on browsers, encryption, anti-malware, email and IM, wireless, etc.

Highly recommended. If you are new to the EFF overall, consider donating – I do annually, and it’s a good cause.

I have a fiercely independent streak. I like raising hell, I don’t want to be quite like the other doubles-tennis yuppies of the world, and foremost, I firmly believe that I am in control of every single aspect of my life.

I can be as good at something as I want to be.

I can learn anything I want to.

I will never tolerate a shitty, micromanaging job or boss. Ever.

There’s plenty of money out there – go get it.

If you are out of shape, that’s your fault, and you WILL suffer from it, most likely. Change this. Now.

Sounds simple, more or less, right? This is a much-abbreviated version of the true life philosophy I adhere to, but it’s a few of the key points. I am never satisfied with things either – and that’s OK. You can always improve, and there’s almost always someone better at something than you are.